Bug 767574

Cc package maintainers from OBS.
I might send a SR and OBS maintenance request soon.

Fix to secutity / clamav here:
https://build.opensuse.org/request/show/125380
Will follow up with OBS maintenance request.

Thanks for taking care of the update.

Last night I noticed that the virus database was finally removed from the upstream tarball. I had been suggesting that for the last eight years and upstream always rejected it.

I think I'll drop the clamav-db package completely now, because in most cases the data either is already there (when updating) or outdated (when installing ClamAV for the first time). The init script already prints out a warning when the files aren't there, and we could get a step further and run freshclam in one-shot mode at that point.

Another option would be to make clamav-db a separate source package that gets rebuilt on a daily basis and uses a source service to keep the database files up to date.

Opinions?

The SWAMPID for this issue is 47919.
This issue was rated as moderate.
Please submit fixed packages until 2012-07-03.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Here we go then: maintenance request against 11.4 and 12.1, with patchinfo prepared:

https://build.opensuse.org/request/show/125394

I think for the release update, adding the .cvd files is more succinct. The -db package may be reviewed or split to be built separately. I could imagine a use-case for users that want to have definitions for a device that is offline otherwise, e.g. sneaker-net or where old definitions are better than none.

(In reply to comment #5)
> Here we go then: maintenance request against 11.4 and 12.1,

Thanks.

> with patchinfo prepared:

FYI: for security updates, the security team takes care of the patchinfo.

> I think for the release update, adding the .cvd files is more succinct.

That doesn't make much sense to me, because usually newer virus definitions are already in place at the time when the update arrives. AFAIK we even skipped the -db package from updates in the past and only released the new binaries.

> I could imagine a use-case for users that want to have definitions for
> a device that is offline otherwise, e.g. sneaker-net

I guess that case is so rare that I'd rather bother such users with having to get the files manually than bothering all others with huge RPMs that they don't really need.

Security team, what do you think?

I don't really have an opinion. I'm not sure whether it's technically feasible to drop subpackages in an update. It may make sense to have clamav-db empty except for some %ghost entries that cause removal of the db on package removal.

Calling freshclam _by default_ in the initscript probably isn't such a good idea though as it requires network access which might not be available.

> > I think for the release update, adding the .cvd files is more succinct.
> 
> That doesn't make much sense to me, because usually newer virus definitions are
> already in place at the time when the update arrives. AFAIK we even skipped the
> -db package from updates in the past and only released the new binaries.

I agree that updated definitions will aready be in place in most cases. However adding the files makes the package behave like the one initially released which is desirable for a released openSUSE version. (It also makes the spec file change easier to review.) I would be concerned about changing the behaviour of a package in a non-trivial way.

For the update, the -db subpackage is not required and I agree that it should be left out.

I think the only place where the -db should be removed is Factory / clamav and secutity / clamav.

(In reply to comment #7)

> I'm not sure whether it's technically feasible to drop subpackages in an
> update.

Should need more than adding "Obsoletes: clamav-db" to the main package.

> It may make sense to have clamav-db empty except for some %ghost entries
> that cause removal of the db on package removal.

That's not an issue, because the files that are contained in clamav-db never get used directly. The -db package contains them with .dist appended to the file name and copies them to their canonical location in %post. The main package contains %ghost entries for those names, so the database already goes away with the main package regardless whether it was installed with the -db package, with freshclam or manually.

> Calling freshclam _by default_ in the initscript probably isn't such a good
> idea though as it requires network access which might not be available.

Well, I guess in most cases we can expect network access to be available, so why not try to fetch the files and only complain to the user if it fails instead of always complaining even if auto-fetching would be possible.

(In reply to comment #8)

> I agree that updated definitions will aready be in place in most cases. However
> adding the files makes the package behave like the one initially released which
> is desirable for a released openSUSE version.

The behaviour of the main package won't change, just the -db package would cease to exist.

> (It also makes the spec file change easier to review.)

For me it is more important to keep the spec file identical across all products for which I have to prepare ClamAV updates. That's how I did it for the last years.

> I would be concerned about changing the behaviour of a package in a non-trivial way.
 
The only change that I think would qualify as non-trivial wold be the auto-fetching in the init script, and I don't insist on that one.

(In reply to comment #9)

> Should need more than adding "Obsoletes: clamav-db" to the main package.

s/Should/Shouldn't/

This is an autogenerated message for OBS integration:
This bug (767574) was mentioned in
https://build.opensuse.org/request/show/125471 Factory / clamav

This is an autogenerated message for OBS integration:
This bug (767574) was mentioned in
https://build.opensuse.org/request/show/126882 Evergreen:11.2 / clamav

openSUSE-SU-2012:0833-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 767574
CVE References: CVE-2012-1457,CVE-2012-1458,CVE-2012-1459
Sources used:
openSUSE 12.1 (src):    clamav-0.97.5-4.1
openSUSE 11.4 (src):    clamav-0.97.5-10.1

This is an autogenerated message for OBS integration:
This bug (767574) was mentioned in
https://build.opensuse.org/request/show/127196 Evergreen:11.2 / clamav

done

Update released for: clamav, clamav-db, clamav-debuginfo
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)

Update released for: clamav, clamav-db, clamav-debuginfo, clamav-debugsource
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-DESKTOP 11-SP1-FOR-SP2 (i386, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-FOR-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)

Update released for: clamav, clamav-db
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)

Update released for: clamav, clamav-db, clamav-debuginfo
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)

This is an autogenerated message for OBS integration:
This bug (767574) was mentioned in
https://build.opensuse.org/request/show/547654 15.0 / clamav